DependencyTrack
Feature/improved version compare
Description
This pull-requests adds an improved version compare algorithm. In case that purl of type "pkg:deb" is used versions are sorted according to Debian policy for versions ([(https://man7.org/linux/man-pages/man7/deb-version.7.html)]) in all other cases sematic version sorting ([https://semver.org/]) is used. Further a simple structure for adding new version sorting systems is added.
Addressed Issue
closes #4445 SBOMs from Ubuntu with purls seam not to work with Google OSV closes #1374 openssl - ubuntu package - versions not matched correctly
Additional Details
A large set of test data for use in the new unittest for the version comparison algorith is added, with can be also used for fuzzy testing.
Here also screenshots + test SBOMS + log data from the actual snapshot + logging patch (.orig files) and then actual snapshot + patches from this pull request (.mod) files
Sematic version (original):
Sematic version (pull-request)
Debian version (original):
Debian version (pull-request):
Test-SBOM for SemverTest:
semver_sbom_test.json
Test-SBOM for DebianTest:
debian_sbom_test.json
Apiserver logs: (original + log-patch):
log.orig.txt
Apiserver logs: (pull-request):
log.mod.txt
Checklist
- [x] I have read and understand the contributing guidelines
- [x] This PR fixes a defect, and I have provided tests to verify that the fix is effective
- [x] This PR implements an enhancement, and I have provided tests to verify that it works as intended
- [~] This PR introduces changes to the database model, and I have added corresponding update logic
- [~] This PR introduces new or alters existing behavior, and I have updated the documentation accordingly
Coverage summary from Codacy
See diff coverage on Codacy
| Coverage variation | Diff coverage |
|---|---|
| :white_check_mark: +0.15% (target: -1.00%) | :white_check_mark: 77.00% (target: 70.00%) |
Coverage variation details
| Coverable lines | Covered lines | Coverage | |
|---|---|---|---|
| Common ancestor commit (f4b20e9a51b082e47a6d080fff1d24f9375bad62) | 23973 | 19317 | 80.58% |
| Head commit (9c65246b9baf594cda724f7e60e47ee92daaa576) | 24040 (+67) | 19407 (+90) | 80.73% (+0.15%) |
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>
Diff coverage details
| Coverable lines | Covered lines | Diff coverage | |
|---|---|---|---|
| Pull request (#4650) | 100 | 77 | 77.00% |
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%
See your quality gate settings Change summary preferences
![codacy-production[bot] avatar](https://avatars.githubusercontent.com/in/56611?v=4 "Published by a pub.dev verified publisher"){kind=small}
@Andre-85 Thanks for this work, I hope this will be merged soon.
@nscuro Can I politely ask whether you will merge this soon? Thank you. :)
:tada: Snyk checks have passed. No issues have been found so far.
:white_check_mark: security/snyk check is complete. No issues have been found. (View Details)
Hello Andre,
I face the same issue that Debian package versions are not compared correctly. So thanks for taking on this issue.
I tested the branch in a local DT installation and could observe improvements to the version comparison. Nevertheless, I still encounter a lot of false positives, e.g. (affected versions from osv.dev):
- tar:
- UBUNTU-CVE-2019-9923
Version:
1.30+dfsg-7ubuntu0.20.04.4Affected versions:[ 1.30+dfsg-6 1.30+dfsg-7 ]
- UBUNTU-CVE-2019-9923
Version:
- vim:
- UBUNTU-CVE-2020-20703
Version:
2:8.1.2269-1ubuntu5.32Affected versions:[ 2:8.1.0875-5ubuntu2 2:8.1.0875-5ubuntu3 2:8.1.0875-5ubuntu4 2:8.1.2269-1ubuntu1 2:8.1.2269-1ubuntu4 ]
- UBUNTU-CVE-2020-20703
Version:
- openssl:
- UBUNTU-CVE-2021-23840
Version:
1.1.1f-1ubuntu2.24Affected versions:[1.1.1c-1ubuntu4 1.1.1d-2ubuntu3 1.1.1d-2ubuntu6 1.1.1f-1ubuntu1 1.1.1f-1ubuntu2 1.1.1f-1ubuntu2.1]
- UBUNTU-CVE-2021-23840
Version:
The package version is somehow similar to one of the affected version, but not equal to it. It looks like later parts of the version are not taken into account.
I'm also not sure if the version comparison is aligned with the specification of the Debian project. The version sorting algorithm is described here: https://manpages.debian.org/testing/dpkg-dev/deb-version.7.en.html#Sorting_algorithm
@koberbe : Thanks for testing! I guess the problem you are facing is #4725 . I looked the up the CVEs that you meantioned (for tar, vim and openssl) at osv.dev. Besides listing affected version there is for all there packages a version range of affected versions is given. All ranges start from 0. Using the fixed version info + the single versions marked as affected and putting them in a unittest in CompareVersionTest:
public void testKoberbe() {
Ecosystem ecosystem = EcosystemFactory.getEcosystem(PackageURL.StandardTypes.DEBIAN);
ComponentVersion version_tar_fixed = new ComponentVersion(ecosystem, "1.30+dfsg-7ubuntu0.20.04.1");
ComponentVersion version_tar= new ComponentVersion(ecosystem, "1.30+dfsg-7ubuntu0.20.04.4");
List<ComponentVersion> versions_tar_affected = new ArrayList<>();
versions_tar_affected.add(new ComponentVersion(ecosystem, "1.30+dfsg-6 1.30+dfsg-7"));
ComponentVersion version_vim_fixed = new ComponentVersion(ecosystem, "2:8.1.2269-1ubuntu5");
ComponentVersion version_vim = new ComponentVersion(ecosystem, "2:8.1.2269-1ubuntu5.32");
List<ComponentVersion> versions_vim_affected = new ArrayList<>();
versions_vim_affected.add(new ComponentVersion(ecosystem, "2:8.1.0875-5ubuntu2"));
versions_vim_affected.add(new ComponentVersion(ecosystem, "2:8.1.0875-5ubuntu3"));
versions_vim_affected.add(new ComponentVersion(ecosystem, "2:8.1.0875-5ubuntu4"));
versions_vim_affected.add(new ComponentVersion(ecosystem, "2:8.1.2269-1ubuntu1"));
versions_vim_affected.add(new ComponentVersion(ecosystem, "2:8.1.2269-1ubuntu4"));
ComponentVersion version_openssl_fixed = new ComponentVersion(ecosystem, "1.1.1f-1ubuntu2.2");
ComponentVersion version_openssl = new ComponentVersion(ecosystem, "1.1.1f-1ubuntu2.24");
List<ComponentVersion> versions_openssl_affected = new ArrayList<>();
versions_openssl_affected.add(new ComponentVersion(ecosystem, "1.1.1c-1ubuntu4"));
versions_openssl_affected.add(new ComponentVersion(ecosystem, "1.1.1d-2ubuntu3"));
versions_openssl_affected.add(new ComponentVersion(ecosystem, "1.1.1d-2ubuntu6"));
versions_openssl_affected.add(new ComponentVersion(ecosystem, "1.1.1f-1ubuntu1"));
versions_openssl_affected.add(new ComponentVersion(ecosystem, "1.1.1f-1ubuntu2"));
versions_openssl_affected.add(new ComponentVersion(ecosystem, "1.1.1f-1ubuntu2.1"));
// range check
Assert.assertTrue(version_tar_fixed.compareTo(version_tar) < 0);
Assert.assertTrue(version_vim_fixed.compareTo(version_vim) < 0);
Assert.assertTrue(version_openssl_fixed.compareTo(version_openssl) < 0);
// single version check
for (ComponentVersion version : versions_tar_affected) {
Assert.assertTrue(version.compareTo(version_tar) != 0);
}
for (ComponentVersion version : versions_vim_affected) {
Assert.assertTrue(version.compareTo(version_vim) != 0);
}
for (ComponentVersion version : versions_openssl_affected) {
Assert.assertTrue(version.compareTo(version_openssl) != 0);
}
}
The unittest runs without any problems. For looking up the versions you used I guess you are using Ubuntu 20.04. Since DependencyTrack thinks about the worst case and looks if the version given in latest ecosystem version (later than 20.04 for sure) is vulnerable and produces this way false positives. So I would suggest you move your report to Bug #4725, which i want to resolve after the version comparison is merged.
Coverage summary from Codacy
See diff coverage on Codacy
| Coverage variation | Diff coverage |
|---|---|
| :white_check_mark: +0.26% (target: -1.00%) | :white_check_mark: 77.00% (target: 70.00%) |
Coverage variation details
| Coverable lines | Covered lines | Coverage | |
|---|---|---|---|
| Common ancestor commit (f4b20e9a51b082e47a6d080fff1d24f9375bad62) | 23973 | 19317 | 80.58% |
| Head commit (829e96a21cd1ef13f928ba5e801f98db71bdaeda) | 24053 (+80) | 19444 (+127) | 80.84% (+0.26%) |
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>
Diff coverage details
| Coverable lines | Covered lines | Diff coverage | |
|---|---|---|---|
| Pull request (#4650) | 100 | 77 | 77.00% |
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%
See your quality gate settings Change summary preferences
Very interesting. Thanks for explaining. I hope I get it right that for UBUNTU-CVE-2019-9923 (tar, 1.30+dfsg-7ubuntu0.20.04.4) a vulnerability is reported because the version 1.30+dfsg-7ubuntu0.20.04.4 is in the range of 0 to 1.34+dfsg-1build3 which is reported for Ubuntu 22.04. It would be great to be able to filter by ecosystem.
@koberbe : You're welcome. But please report your issue also at https://github.com/DependencyTrack/dependency-track/issues/4725 and provide a minimal sbom showing these issues if possible.
PS: And yes you got the ecosystem version problem right :)
Is there any update on merging this one? The improvement is quite significant, as many vulnerabilities are currently incorrectly matched, resulting in a report with numerous false positives. On a basic Debian/Ubuntu image, DT shows 80 vulnerabilities from OSV source, while osv-scanner shows only 22 vulnerabilities. Thank you
